2025-06-26-13-33-49: Cronjob

roles/lmn_sssd/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: Restart sssd
+  ansible.builtin.service:
+    name: sssd
+    state: restarted
+    enabled: true
+  listen: "Restart sssd"

roles/lmn_sssd/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: Install needed packages
+  ansible.builtin.apt:
+    name:
+      - sssd-ad
+      - sssd-tools
+      - adcli
+
+- name: Provide user identities from AD
+  ansible.builtin.template:
+    src: sssd.conf.j2
+    dest: /etc/sssd/sssd.conf
+    mode: '0600'
+  notify: Restart sssd
+
+  ## Either one of the variables is defined:
+- name: Join the domain
+  ansible.builtin.shell:
+    cmd: >
+      echo "{{ ansible_cmdline.adpw | default('') + adpw.user_input | default('') }}" |
+      adcli join --stdin-password -U global-admin {{ domain | upper }}
+  when: >
+    ansible_cmdline.adpw | default('') | length > 0 or
+    adpw.user_input | default('') | length > 0

roles/lmn_sssd/templates/sssd.conf.j2

@@ -0,0 +1,22 @@
+[sssd]
+domains = {{ domain }}
+config_file_version = 2
+implicit_pac_responder = False
+
+[domain/{{ domain }}]
+krb5_realm = {{ domain | upper }}
+ad_domain = {{ domain }}
+id_provider = ad
+access_provider = ad
+use_fully_qualified_names = False
+cache_credentials = True
+krb5_store_password_if_offline = True
+default_shell = /usr/bin/bash
+# default: # ldap_id_mapping = True
+ad_gpo_access_control = disabled
+ad_gpo_ignore_unreadable = True
+ad_maximum_machine_account_password_age = 0
+ignore_group_members = True
+{% if localhome is defined and localhome %}
+override_homedir = /home/%u
+{% endif %}